Independent Submission V. Dolmatov, Ed. 
Request for Comments: 5831 Cryptocom, Ltd. 
Category: Informational March 2010 
ISSN: 2070-1721 


GOST R 34.11-94: Hash Function Algorithm 


Abstract 


This document is intended to be a source of information about the 
Russian Federal standard hash function (GOST R 34.11-94), which is 
one of the Russian cryptographic standard algorithms (called GOST 
algorithms). Recently, Russian cryptography is being used in 
Internet applications, and this document has been created as 
information for developers and users of GOST R 34.11-94 for hash 
computation. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This is a contribution to the RFC Series, independently of any other 
RFC stream. The RFC Editor has chosen to publish this document at 
its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by 
the RFC Editor are not a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc5831. 
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1. Introduction 
1.1. General Information 


1. GOST R 34.11-94 [GOST3411] was developed by the Federal Agency 
for Government Communication and Information and by the All-Russia 
Scientific and Research Institute of Standardization. 


2. GOST R 34.11-94 was accepted and activated by Act 154 of 
23.05.1994 issued by the Russian Federal committee for standards. 


1.2. The Purpose of GOST R 34.11-94 


Expanding the application of information technologies when creating, 
processing, and storing documents requires, in some cases, 
confidentiality of their contents, maintenance of completeness, and 
authenticity. 


Cryptography (cryptographic security) is one of the effective 
approaches for data security. It is widely applied in different 
areas of government and commercial activity. 


Cryptographic data security methods are under serious scientific 
research and standardization efforts at national, regional, and 
international levels. 


GOST R 34.11-94 defines a hash function calculation procedure for an 
arbitrary sequence of binary symbols. 


The hash function maps an arbitrary set of data represented as a 
sequence of binary symbols onto its image of a fixed small length. 


Thus, hash functions can be used in procedures related to the 
electronic digital signature, resulting in considerable reduction of 
elapsed time for the sign and verify stages. The effect of the 
reduction of time is due to the fact that only a short image of 
initial data is actually signed. 


2. Applicability 


GOST R 34.11-94 defines an algorithm and procedure for the 
calculation of a hash function for an arbitrary sequence of binary 
symbols. These algorithms and procedures should be applied in 
cryptographic methods of data processing and securing, including 
digital signature procedures employed for data transfer and data 
storage in computer-aided systems. 
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The hash function, defined in GOST R 34.11-94, is used for digital 
signature systems based on the asymmetric cryptographic algorithm 
according to GOST R 34.10-2001 (see section 3). 


3. Conventions Used in This Document 
The following notations are used in GOST R 34.11-94: 


V_all is a set of all finite words in the alphabet V = {0,1}. The 
words are read from right to left and the alphabet symbols are 
numbered from right to left (i.e., the rightmost symbol of the word 
has the number one, the second rightmost symbol has number two, 
etc.). 


Vk is a set of all words in alphabet V = (0,1) of length k bits 
(k=16,64,256). 


|A | is the length of a word A belonging to V_all. 

A||B is a concatenation of words A, B belonging to V_all. Its length 
is |a| + |B|, where the left |A| symbols come from the word A, and 
the right B| symbols come from the word B. One can also use the 


notation A||B = A * B. 


A”k is a concatenation of k copies of the word A (A belongs to 
V_all). 


<N>_k is a word of length k, containing a binary representation of 
N(mod 2^k) residue, with a non-negative integer N. 


A”$ is a non-negative integer with A as its binary representation. 


(xor) is the bitwise modulo 2 addition of the words of the same 
length. 


(+)’ is the addition according to the rule A (+)’ B = <A”$+ B*S>_k, 
where k = [A | = |B|. 


M is a binary sequence to be hashed, M belongs to V_all. M isa 
message in digital signature systems. 


h is a hash function that maps the sequence M belonging to V_all onto 
the word h(M) belonging to V_256. 


E(k,A) is a result of the encryption of the word A using key K with 


the encryption algorithm according to [GOST28147] in the electronic 
codebook (ECB) mode (K belongs to V256, A belongs to V64). 
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hO is an initial hash value. 
e := g is the assignment of the value g to the parameter e. 
“ is the power operator. 
i = 1..8 is an interval with i being all the values from 1 to 8. 
hUZ is the S-boxes described in [GOST28147]. 
4. General Statements 
A hash function h is the mapping h : V_all -> V256, depending on the 
parameter (which is the initial hash value H, H is a word from V256). 
To define the hash function, it is necessary to have: 
— a calculation algorithm for the step-by-step hash function 


chi : V256 x V256 -> V256 


— a description of an iterative procedure for calculating the hash 
value h 


A hash function h depends on two parameters, h0 and hUZ. 
5. Step-by-Step Hash Function 


A calculation algorithm for the step-by-step hash function contains 
three parts, which successively do: 


— key generation, here keys are 256-bit words; 
— an encryption transformation, that is encryption of 64-bit 


subwords of word H using keys Kļi], (i = 1, 2, 3, 4) with the 
algorithm according to [GOST28147] in ECB mode; and 


— a mixing transformation for the result of the encryption. 


5.1 Key Generation 


Consider X = (b[256], b[255], ..., b[1]) belongs to V256. 
Let: 
X = x[4]||x[3] | |x[2] ||x [1] = eta[16]|| [eta15]||...||eta[1] 
= xi[32]]||xi(311||...[|xil[1], where 
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x[i] = (b[i*64],...,b[ (1-1) *64+1]) belongs to V64, 1..4, 
eta[j] = (b[3*16],...,b[(j-1)*16+1]) belongs to V16, 1..16, 
xi[k] = (b[k*8],..., b[(k-1)*8+1]) belongs to V8, k = «324 
Yet, another notation: A(X) = (x[1](xor)x[2]) ||x[41]||x[31]|]|x[2]. 
The transformation P : V256 -> V256 maps the word xi32||...||xil 
onto the word xil[phi(32)] || ... || xilphi(1)], 
where phi(i +1+4(k-1)) = 8i+k, i 5 0..3, k= .8. 


For the key generation, one should use the following initial data: 


— words H, M belonging to V256, 


— parameters: words C[i] (i = 2, 3, 
C[2] = C[4] = 0256; 
cC[3] S148] |o+8| | 1-16] |0*24 
|| co^8|]1^8)^4|| Ce) [048 


The following algorithm is used for the key calculation: 


1. Assign values: 


2. Calculate: 


W = U (xor) V, K[i] = P(W). 


3. Assign: 


4. Verify condition: 


If it is true, go to step 7. If not, 


5. Calculate: 


4), with values: 


)*4. 


go to step 5. 


U := A(U) (xor)C[i], V := A(A(V)), 
W := U(xor)V, K[i] = P(W). 
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6. Go to step 3. 
7. End. 
5.2. Encryption Transformation 


At this stage, 64-bit subwords of the word H are encrypted using keys 
Klid Ci. = 25. By. dus 


For the encryption transformation, one should use the following 
initial data: 


H = h[4]]||hī3]||n[2] || h( 13, 


where h[i] belongs to V64, i = 1,2,3,4, and a key set is K[1], K[2], 
K[3], K[4]. 


The encryption algorithm is applied and the following words are 
obtained: 


s[i] = E(K[i],h[i]), where: i = 1,2,3,4 
As a result of the stage, the following sequence is formed: 
$=-l41||sšīšil|sīži](sttik 
5.3. Mixing Transformation 
At this stage, the obtained sequence is mixed using a shift register. 


The initial data includes words H, M belonging to V256 and a word S 
belonging to V256 


Let a mapping PSI(X) : V256(2) -> V256(2) transform the word: 
eta[16]|]eta(15]||...||etal1], eta[i] belongs to V16, i = 1..16 
into the word: 


(xor)eta[3] (xor)eta[4] (xor) eta[13] (xor) eta[16] 


eta[1] (xor)eta[2] 
|eta[2]. 


| |eta[16]||... 
Then, the value of the step-by-step hash function value is the word: 
chi(M, H) = PSI”61(H(xor)PSI(M(xor)PSI”12(S))), 


where PSI”i(X) is the transformation PSI applied i times to X. 
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6. The Calculation Procedure for a Hash Function 


The calculation procedure 


for a hash function h is assumed to be 


applied to a sequence M belonging to V_all. Its parameter is an 
initial hash value h0, which is an arbitrarily fixed word from V256. 


The calculation procedure 


for the function h uses the following 


quantities at each step of iteration: 


_M_ belonging to V_all - a part of the sequence M, which was not 
hashed at previous iterations; 


H belonging to V256 - the 
SIGMA belonging to V256 - 


L belonging to V256 - the 
at the previous iteration 


The calculation algorithm 
steps: 


current hash value; 
the current check sum value; 


length of the partial sequence M processed 
step. 


for function h consists of the following 


Step 1. Assign initial values to current quantities: 


1.1 M := M. 

1.2 H := ho. 

1.3 SIGMA := 0%256. 
1.4 L := 0%256. 

1.5 Go to step 2. 


Step 2. 


2.1 Verify the condition |_M_|>256. 


If it is true, go to step 


3. 


Else, make the following calculations: 


2.2 L := <L^$ + |M|>_256 
2.3 M” := 0^(256 -|M|) | |M 
2.4 SIGMA := SIGMA (+)’ M’ 
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2.5 H := chi (M', H) 
2.6 H := chi (L, H) 
2.7 H := chi (SIGMA, H) 
2.8 End. 
Step 3. 
3.1 Calculate a subword M_s belonging to V256 of the word M 
(_M_ = Mp||M_s). Then make the following calculations: 
3.2 H := chi (Ms, H) 
3.3 L := <L*S + 256>_256 
3.4 SIGMA := SIGMA (+)’ M[s] 


3.5 M = Mp 
3.6 Go to step 2. 


The guantity H obtained at step 2.7 is the value of the hash function 
h(M). 


7. Test Examples (Informative) 
It is recommended to use the values for substitution units pili], 


pi[2],..., pi[8] and the initial hash value H described in this 
appendix for the GOST R 34.11-94 test examples only. 
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7.1. Usage of the Algorithm GOST 28147-89 


The algorithm GOST 28147-89 [GOST28147] 
encryption transformation in the following examples. The following 
values of the substitution units pi[1], 


chose 


15 


ne 


G 


2 


C 


F 


E 


5 


B 


2 


5 


3 


B 


5 


9 


The hexadecimal value 


j 
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= 1. 


.8, 


and in a 


9 


3 


of pi[j] (i) 


row number i, i = 
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4 March 2010 


in ECB mode is used as an 


pi[2],..., pi[8] have been 


is given in a column number j, 


0..15. 
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7.2. Representation of Vectors 
We will put down binary symbol sequences as hexadecimal digits 
strings, where each digit corresponds to four signs of its binary 
representation. 

7.3 Examples of the Hash Value Calculation 


A zero vector, for example, can be taken as an initial hash value: 


hO = 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 


7.3.1. Hash Calculation for the Sample Message M 


M = 73657479 62203233 3D687467 6E656C20 
2C656761 7373656D 20736920 73696854 


Initial values are assigned for the text: 


M_ = 73657479 62203233 3D687467 6E656C20 
2C656761 7373656D 20736920 73696854 


for the hash function: 


H = 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 


for the sum of text blocks: 

SIGMA = 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 

for the length of the text: 


L = 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 


If the length of the message to be hashed equals 256 bits (32 bytes), 
then: 


L = 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000100 


M” = _M_ = 73657479 62203233 3D687467 6E656C20 
2C656761 7373656D 20736920 73696854 


Dolmatov Informational [Page 11] 


RFC 5831 


and there is no need to pad the current block with zeroes: 


SIGMA=M’ = 73657479 62203233 3D687467 6E656C20 
2C656761 7373656D 20736920 73696854 


The step-by-step hash function chi(M, N) 


GOST R 34.11-94 


The keys are generated: 


K[1] = 733D2C20 
626E7373 


K[2] = 110C733D 
1D00626E 


K[3] = 80B111F3 
620C1DFF 


K[4] = AOE2804E 


65686573 74746769 
20657369 79676120 


0D166568 130E7474 
161A2065 090D326C 


730DF216 850013F1 
3ABAE91A 3FA109F2 


FF1B73F2 ECE27A00 


EE1D620C 


ACOCCSBA A804C05E 


326C6568 
33206D54 


06417967 
4D393320 


C7E1F941 
F513B239 


E7B8C7E1 
A18BOAEC 


March 2010 


values are calculated. 


The 64-bit subwords of block H are encrypted by the algorithm 
according to GOST 28147. 


Block h[1] = 00000000 00000000 is encrypted 


s[1] = 42ABBCCE 32BC0B1B is obtained. 


Block h[2] = 00000000 00000000 is encrypted 


s[2] = 5203EBC8 5D9BCFFD is obtained. 


Block h[3] = 00000000 00000000 is encrypted 


s[3] = 8D345899 OOFFOE28 is obtained. 


Block h[4] = 00000000 00000000 is encrypted 


s[4] = E7860419 OD2A562D is obtained. 


So S = E7860419 OD2A562D 8D345899 O00FF0E28 


5203EBC8 5D9BCFFD 42ABBCCE 32BC0B1B 


is obtained. 


using key K[1] 


using key K[2] 


using key K[3] 


using key K[4] 


and 


and 


and 


and 


The mixing transformation using a shift register is performed and 


KSI = chi(M, H) 


is obtained. 
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= CF9A8C65 505967A4 68A03B8C 42DE7624 
D99C4124 883DA687 561C7DE3 3315C034 
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Assign 


K[1] 


K[2] 


K[3] 


K[4] = 


KSI = 


GOST R 34.11-94 


H = KSI and calculate chi(L, H): 


CF68D956 
50428833 


8FCF68D9 
BB504288 


4E70CE97 
CABB50BD 


584E70CF 
EDCABB50 


66B70F5E 
E5EC8A37 


2B6EC233 
DD3848D1 


Now assign H = 


K[1] = 


K[2] = 


K[3] 


K[4] 


KSI = 


Then, 


H = 
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5817F104 
A531B57A 


E82759E0 
D2C73DA8 


77483AD9 
FBC3DAA0 


A1157965 
7684ADCB 


2AEBFA76 
C31E7435 


FAFF37A6 
EO9525F3 


FAFF37A6 
EO9525F3 


9RAO9C1C 
59DE3D15 


809AA09C 
2859DE3D 


3C8065A0 
E3D7A6DE 


C53C8065 
78E3D7A6 


F163F461 
3FD42279 


C7BC89E4 
C6AC997A 


KSI again 


OBD45D84 
9C8FDFCA 


C278D950 
19A6CAC9 


F7C29CAA 
7CB555F0 


2D9FBC9C 
FA4ACA06 


A85FB57D 
4930FD05 


15A81669 
9F811983 


the hash result is: 


15A81669 
9F811983 


8C3B417D 
6776A6C1 


3C8C3B41 
666676A6 


853C8CC4 
D1996788 


48853C8C 
EED19867 


468A9528 
3CD1602D 


2ABC2692 
24F74E2B 


and calculate chi( 


B6522F27 
BB1EFCC6 


15CC523C 
3E8440F5 


EB06D1D7 
D4968080 


088C7CC2 
53EFF7D7 


6F164DE9 
1F8A4942 


1CFF3EF8 
2EB81975 


1CFF3EF8 
2EB81975 


658C24E3 
A4248734 


C7658C24 
B3A42487 


57389A8C 
5CB35B24 


1657389A 
7E5CB35B 


61D60593 
DD783E86 


5FEA7285 
O9A3AEF7 


4AF5B00B 
D7A517A3 


FC72EBB6 
CODDB65A 


841BCAD3 
OA9YES56BC 


46FB3DD2 
C0748708 


2951A581 
550A582D 


B68CA247 
D366C4B1 


B68CA247 
D366C4B1 
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SIGMA, H): 
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7.3.2. Hash Calculation for the Sample Message M 

Let M = 7365 74796220 3035203D 20687467 6E656C20 
73616820 65676173 73656D20 6C616E69 
6769726F 20656874 2065736F 70707553 


As the length of the message to be hashed equals 400 bits (50 bytes), 
the message is divided into two blocks, and the second (high-order) 
one is padded with zeroes. During the calculations the following 
numbers are obtained: 


STER: T 


H = 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 


M_s = 73616820 65676173 73656D20 6C616E69 
6769726F 20656874 2065736F 70707553 


K[1] = 73736720 61656965 686D7273 20206F6F 
656C2070 67616570 616E6875 73697453 
K[2] = 14477373 0C0C6165 1F01686D 4F002020 
4C50656C 04156761 061D616E 1D277369 
K[3] = CBFF14B8 6D04F30C 96051FFE DFFFB000 
35094CAF 72F9FB15 7CF006E2 AB1AE227 
K[4] = EBACCB00 F7006DFB E5E16905 BOBODFFF 
BA1C3509 FD118DF9 F61B830F F8C554E5 
S = FF41797C EEAADAC2 43C9B1DF 2E14681C 
EDDC2210 1EE1ADF9 FA67E757 DAFE3AD9 
KSI = FOCEEA4E 368B5A60 C63D96C1 E5B51CD2 
A93BEFBD 2634F0AD CBBB69CE ED2D5D9A 
STEP 2. 
H = FOCEEA4E 368B5A60 C63D96C1 ESB51CD2 
A93BEFBD 2634F0AD CBBB69CE ED2D5D9A 
M” = 00000000 00000000 00000000 00007365 
74796220 3035203D 20687467 6E656C20 
K[1] = FOC6DDEB CE3D42D3 EA968D1D 4EC19DA9 
36651683 8BB50148 5A6FD031 60B790BA 
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K[2] 


K[3] 


K[4] 


KSI 


K[2] 


K[2] 


K[3] 


KSI 
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16A4C6A9 
FB68E526 


C49D846D 
9DCB0 644 


BDBOC9F0 
1CAD9536 


62A07EAS 
6881EB66 


95BEAOBE 
B8287CB6 


95BEAOBE 
B8287CB6 


00000000 
00000000 


95FEB83E 
88432CF6 


8695FEB8 


F 9DF3D3B 
2CDBB534 


1780482C 
D1E641E5 


756E9131 


GOST R 34.11-94 


E4FC96EF 
FE161C83 


9086887F 
A02109AF 


E1F290EA 


5309C1BD 
6F7DD2C8 


C48C9186 
9D52C7CF 


50E4CBB1 


F4E4B674 


EF3C3309 
F5C7959F 


88D5AA02 
2CBC135B 


99F31E29 


2CE1B076 
63FCA1F1 


FE3C9D45 
3E339EFE 


88D5AA02 
2CBC135B 


FE3C9D45 
3E339EFE 


00000000 
00000000 


BE3C2833 
D56CBC57 


1BBE3C28 


00000000 
00000000 


A09D7C9E 
AAE8136D 


E2A09D7C 


DA88432C 


8695FEB8 


EBD56CBC 


7FABE813 


1BBE3C28 


E2A09D7C 


DA88432C 


B9799501 
6FDA88BC 


94B97995 
346FDA88 


D42336E0 
9FDDFF20 


47E26AFD 
A3D97E7E 


47E26AFD 
A3D97E7E 


EBD56CBC 


141B413C 
D0142A6C 


7D141B41 
46D0142A 


2A0A6998 
4808E863 


3E7278A1 
A744CB43 


3E7278A1 
A744CB43 


7FABE813 


1EE2A062 
FA80AA16 


C21EE2A0 
BDFA81AA 


6C65478A 
94FD9D6D 


7D473785 
O8AA4C24 


7D473785 
O8AA4C24 


7O0C52AFA 


173D48CC 
D33C31B8 


436CE821 
F6576CA9 


436CE821 
F6576CA9 


00000000 
00000190 


BE45B6FE 
02215B39 


48BE45B6 
F292215B 


48BE45B6 
F292215B 


0CB74145 
15F2FDB1 


040CB741 
DC1562FD 


3D08A1B9 
F776A7AD 


06140773 
3352C745 


06140773 
3352C745 
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SIGMA = 73616820 65676173 73656D20 6C61E1CE 
DBE2D48F 509A88B1 40CDE7D6 DED5E173 


K[1] = 340E7848 83223B67 O25AAAAB DDASF1F2 
5B6AF7ED 1575DE87 19E64326 D2BDF236 
K[2] = O3DCOEDO F4CD26BC 8B595F13 F5A4A55E 
A8B063CB ED3D7325 6511662A 7963008D 
K[3] = C954EF19 D0779A68 ED37D3FB 7DASADDC 
4A9D0277 78EF765B C4731191 7EBB21B1 
K[4] = 6D12BC47 D9363D19 1E3C696F 28F2DC02 
F2137F37 64E4C18B 69CCFBF8 EF72B7E3 
S = 790DD7A1 O66544EA 2829563C 3C39D781 
25EF9645 EE2CO5DD ASECAD92 2511A4D1 
KSI = 0852F562 3B89DD57 AEB4781F ES4DF14E 
EAFBC135 0613763A OD770AA6 57BA1A47 

Then, the hash result is: 
H = 0852F562 3B89DD57 AEB4781F E5S4DF14E 
EAFBC135 0613763A OD770AA6 57BA1A47 

8. Security Considerations 


This entire document is about security considerations. 


Current cryptographic resistance of GOST R 34.11-94 hash algorithm is 
estimated as 2%128 operations of computations of step hash functions. 
(There is a known method to reduce this estimate to 2%105 operations, 
but it demands padding the colliding message with 1024 random bit 
blocks each of 256-bit length; thus, it cannot be used in any 
practical implementation). 
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